Re: [PR] fix Resolving XML external entity in user-controlled data `Digester.java` [tomcat]
ChristopherSchultz commented on PR #846: URL: https://github.com/apache/tomcat/pull/846#issuecomment-2835627565 3. The Digester is a package-renamed dependency from an upstream provider, used as a library. This change does not belong in library code. 4. The ability to expand XML entities, etc. is an *intentional feature of Tomcat configuration files* and will not be removed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot success in on tomcat-12.0.x
Build status: Build succeeded! Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/120/builds/530 Blamelist: Mark Thomas Build Text: build successful Status Detected: restored build Build Source Stamp: [branch main] 0bfa84b7b343dc440e3e9b22d7d9f4326102a8c3 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 shell_6: 0 shell_7: 0 compile: 1 shell_8: 0 shell_9: 0 shell_10: 0 shell_11: 0 Rsync docs to nightlies.apache.org: 0 shell_12: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 1 shell_13: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69659] Automatic JSP EL optimization
https://bz.apache.org/bugzilla/show_bug.cgi?id=69659 --- Comment #3 from Mark Thomas --- That null handling behaviour isn't what I'd expect. I'd expect some exceptions. Can you create a simple JSP that demonstrates the null handling you are seeing? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Fix comment typo
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 5ff3dddc10 Fix comment typo
5ff3dddc10 is described below
commit 5ff3dddc1048eb7bb8b9deff7606096f8880ae9b
Author: Mark Thomas
AuthorDate: Mon Apr 28 07:27:44 2025 +0100
Fix comment typo
---
java/org/apache/catalina/servlets/CGIServlet.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/servlets/CGIServlet.java
b/java/org/apache/catalina/servlets/CGIServlet.java
index 1b468d0668..510d2782e7 100644
--- a/java/org/apache/catalina/servlets/CGIServlet.java
+++ b/java/org/apache/catalina/servlets/CGIServlet.java
@@ -571,7 +571,7 @@ public final class CGIServlet extends HttpServlet {
@Override
protected void doOptions(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
// Note: This method will never be called if cgiMethods is "*" so that
-// case does nto need to be handled here.
+// case does not need to be handled here.
Set allowedMethods = new HashSet<>();
allowedMethods.addAll(cgiMethods);
allowedMethods.addAll(DEFAULT_SUPER_METHODS);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Fix comment typo
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 9daffd56de Fix comment typo
9daffd56de is described below
commit 9daffd56deadfa8190593a0322cbb24d18c3fce4
Author: Mark Thomas
AuthorDate: Mon Apr 28 07:27:44 2025 +0100
Fix comment typo
---
java/org/apache/catalina/servlets/CGIServlet.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/servlets/CGIServlet.java
b/java/org/apache/catalina/servlets/CGIServlet.java
index 3cb5432295..3c1b7bd6d2 100644
--- a/java/org/apache/catalina/servlets/CGIServlet.java
+++ b/java/org/apache/catalina/servlets/CGIServlet.java
@@ -564,7 +564,7 @@ public final class CGIServlet extends HttpServlet {
@Override
protected void doOptions(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
// Note: This method will never be called if cgiMethods is "*" so that
-// case does nto need to be handled here.
+// case does not need to be handled here.
Set allowedMethods = new HashSet<>();
allowedMethods.addAll(cgiMethods);
allowedMethods.addAll(DEFAULT_SUPER_METHODS);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Fix comment typo
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 406aff8f77 Fix comment typo
406aff8f77 is described below
commit 406aff8f77e36366feea0ee0dce97fccb5e1f8a9
Author: Mark Thomas
AuthorDate: Mon Apr 28 07:27:44 2025 +0100
Fix comment typo
---
java/org/apache/catalina/servlets/CGIServlet.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/servlets/CGIServlet.java
b/java/org/apache/catalina/servlets/CGIServlet.java
index c20fe2b2e0..57a9b82c8d 100644
--- a/java/org/apache/catalina/servlets/CGIServlet.java
+++ b/java/org/apache/catalina/servlets/CGIServlet.java
@@ -563,7 +563,7 @@ public final class CGIServlet extends HttpServlet {
@Override
protected void doOptions(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
// Note: This method will never be called if cgiMethods is "*" so that
-// case does nto need to be handled here.
+// case does not need to be handled here.
Set allowedMethods = new HashSet<>();
allowedMethods.addAll(cgiMethods);
allowedMethods.addAll(DEFAULT_SUPER_METHODS);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Fix comment typo
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new d180afd3d2 Fix comment typo
d180afd3d2 is described below
commit d180afd3d20ed02b927bd95cefcd1558ff2e3712
Author: Mark Thomas
AuthorDate: Mon Apr 28 07:27:44 2025 +0100
Fix comment typo
---
java/org/apache/catalina/servlets/CGIServlet.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/servlets/CGIServlet.java
b/java/org/apache/catalina/servlets/CGIServlet.java
index 1b468d0668..510d2782e7 100644
--- a/java/org/apache/catalina/servlets/CGIServlet.java
+++ b/java/org/apache/catalina/servlets/CGIServlet.java
@@ -571,7 +571,7 @@ public final class CGIServlet extends HttpServlet {
@Override
protected void doOptions(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
// Note: This method will never be called if cgiMethods is "*" so that
-// case does nto need to be handled here.
+// case does not need to be handled here.
Set allowedMethods = new HashSet<>();
allowedMethods.addAll(cgiMethods);
allowedMethods.addAll(DEFAULT_SUPER_METHODS);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69657] session timeout not set when accessing / and its redirected to index.jsp
https://bz.apache.org/bugzilla/show_bug.cgi?id=69657 Remy Maucherat changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #1 from Remy Maucherat --- The default Tomcat conf.web.xml includes: 30 So this sets timeout for all sessions to 30 minutes. I verified on trunk that the session timeout for a session created in the ROOT webapp was indeed 1800s. Please give more details to allow reproducing the issue. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69661] New: "Bloom Digital Marketing Agency delivers innovative web design, SEO, and social media strategies for business growth and success."
https://bz.apache.org/bugzilla/show_bug.cgi?id=69661 Bug ID: 69661 Summary: "Bloom Digital Marketing Agency delivers innovative web design, SEO, and social media strategies for business growth and success." Product: Tomcat Native Version: 2.0.7 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Library Assignee: dev@tomcat.apache.org Reporter: vansh3012...@gmail.com Target Milestone: --- "Bloom Digital Marketing Agency delivers innovative web design, SEO, and social media strategies for business growth and success." -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69661] "Bloom Digital Marketing Agency delivers innovative web design, SEO, and social media strategies for business growth and success."
https://bz.apache.org/bugzilla/show_bug.cgi?id=69661 vansh Pradeep sharma changed: What|Removed |Added URL||https://bloomagency.in/webs ||ite-development-company-mum ||bai/ OS||All -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Update Byte Buddy to 1.17.5
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new c264f95573 Update Byte Buddy to 1.17.5
c264f95573 is described below
commit c264f95573959286410f1a3e40a7a1929a832f5a
Author: Mark Thomas
AuthorDate: Mon Apr 28 20:49:58 2025 +0100
Update Byte Buddy to 1.17.5
---
build.properties.default | 4 ++--
webapps/docs/changelog.xml | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 10484587da..39d9a4e45a 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -249,10 +249,10 @@
objenesis.jar=${objenesis.home}/objenesis-${objenesis.version}.jar
objenesis.loc=${base-maven.loc}/org/objenesis/objenesis/${objenesis.version}/objenesis-${objenesis.version}.jar
# - byte-buddy, used by EasyMock, version 1.12.18 or later -
-bytebuddy.version=1.17.4
+bytebuddy.version=1.17.5
bytebuddy.checksum.enabled=true
bytebuddy.checksum.algorithm=MD5|SHA-1
-bytebuddy.checksum.value=7ba5cdb49a0e311e730b9a6dde61f95a|ffb8488d93290eff074fb542a596e4c5a26d0315
+bytebuddy.checksum.value=cf90ce9f1d325155ec7b0276a781c592|88450f120903b7e72470462cdbd2b75a3842223c
bytebuddy.home=${base.path}/byte-buddy-${bytebuddy.version}
bytebuddy.jar=${bytebuddy.home}/byte-buddy-${bytebuddy.version}.jar
bytebuddy.loc=${base-maven.loc}/net/bytebuddy/byte-buddy/${bytebuddy.version}/byte-buddy-${bytebuddy.version}.jar
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2ec44dd1a4..ab1f54de20 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -153,6 +153,9 @@
Explicitly set the locale to be used for Javadoc. For official
releases,
this locale will be English (US) to support reproducible builds.
(schultz)
+
+Update Byte Buddy to 1.17.5. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Update Byte Buddy to 1.17.5
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 0bfa84b7b3 Update Byte Buddy to 1.17.5
0bfa84b7b3 is described below
commit 0bfa84b7b343dc440e3e9b22d7d9f4326102a8c3
Author: Mark Thomas
AuthorDate: Mon Apr 28 20:49:58 2025 +0100
Update Byte Buddy to 1.17.5
---
build.properties.default | 4 ++--
webapps/docs/changelog.xml | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 2121741203..915af6a3de 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -249,10 +249,10 @@
objenesis.jar=${objenesis.home}/objenesis-${objenesis.version}.jar
objenesis.loc=${base-maven.loc}/org/objenesis/objenesis/${objenesis.version}/objenesis-${objenesis.version}.jar
# - byte-buddy, used by EasyMock, version 1.12.18 or later -
-bytebuddy.version=1.17.4
+bytebuddy.version=1.17.5
bytebuddy.checksum.enabled=true
bytebuddy.checksum.algorithm=MD5|SHA-1
-bytebuddy.checksum.value=7ba5cdb49a0e311e730b9a6dde61f95a|ffb8488d93290eff074fb542a596e4c5a26d0315
+bytebuddy.checksum.value=cf90ce9f1d325155ec7b0276a781c592|88450f120903b7e72470462cdbd2b75a3842223c
bytebuddy.home=${base.path}/byte-buddy-${bytebuddy.version}
bytebuddy.jar=${bytebuddy.home}/byte-buddy-${bytebuddy.version}.jar
bytebuddy.loc=${base-maven.loc}/net/bytebuddy/byte-buddy/${bytebuddy.version}/byte-buddy-${bytebuddy.version}.jar
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 451a2f5191..909aa06e15 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -252,6 +252,9 @@
Update Jacoco to 0.8.13. (remm)
+
+Update Byte Buddy to 1.17.5. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 02/02: tabs -> spaces
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit dc53be3692c43d8c141aaf55ecd2760a9902248f
Author: Mark Thomas
AuthorDate: Mon Apr 28 20:52:33 2025 +0100
tabs -> spaces
---
test/jakarta/servlet/jsp/TesterPageContextWithAttributes.java | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/test/jakarta/servlet/jsp/TesterPageContextWithAttributes.java
b/test/jakarta/servlet/jsp/TesterPageContextWithAttributes.java
index bf93e09493..ba3daff0cf 100644
--- a/test/jakarta/servlet/jsp/TesterPageContextWithAttributes.java
+++ b/test/jakarta/servlet/jsp/TesterPageContextWithAttributes.java
@@ -50,15 +50,15 @@ public class TesterPageContextWithAttributes extends
TesterPageContext {
switch (scope) {
case PAGE_SCOPE:
- return pageAttributes.get(name);
+return pageAttributes.get(name);
case REQUEST_SCOPE:
- return requestAttributes.get(name);
+return requestAttributes.get(name);
case SESSION_SCOPE:
- return sessionAttributes.get(name);
+return sessionAttributes.get(name);
case APPLICATION_SCOPE:
- return applicationAttributes.get(name);
+return applicationAttributes.get(name);
default:
- throw new
IllegalArgumentException(Localizer.getMessage("jsp.error.page.invalid.scope"));
+throw new
IllegalArgumentException(Localizer.getMessage("jsp.error.page.invalid.scope"));
}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated (e60d366124 -> dc53be3692)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from e60d366124 Add note on pathInfo, constraints and default servlet like servlets new 26c8a5c4bb Update Byte Buddy to 1.17.5 new dc53be3692 tabs -> spaces The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: build.properties.default | 4 ++-- test/jakarta/servlet/jsp/TesterPageContextWithAttributes.java | 10 +- webapps/docs/changelog.xml| 3 +++ 3 files changed, 10 insertions(+), 7 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 01/02: Update Byte Buddy to 1.17.5
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 26c8a5c4bb67348b02b2bf1efd5a8fa75ad364ae
Author: Mark Thomas
AuthorDate: Mon Apr 28 20:49:58 2025 +0100
Update Byte Buddy to 1.17.5
---
build.properties.default | 4 ++--
webapps/docs/changelog.xml | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index fbba4e6042..985295b4e7 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -270,10 +270,10 @@
objenesis.jar=${objenesis.home}/objenesis-${objenesis.version}.jar
objenesis.loc=${base-maven.loc}/org/objenesis/objenesis/${objenesis.version}/objenesis-${objenesis.version}.jar
# - byte-buddy, used by EasyMock, version 1.12.18 or later -
-bytebuddy.version=1.17.4
+bytebuddy.version=1.17.5
bytebuddy.checksum.enabled=true
bytebuddy.checksum.algorithm=MD5|SHA-1
-bytebuddy.checksum.value=7ba5cdb49a0e311e730b9a6dde61f95a|ffb8488d93290eff074fb542a596e4c5a26d0315
+bytebuddy.checksum.value=cf90ce9f1d325155ec7b0276a781c592|88450f120903b7e72470462cdbd2b75a3842223c
bytebuddy.home=${base.path}/byte-buddy-${bytebuddy.version}
bytebuddy.jar=${bytebuddy.home}/byte-buddy-${bytebuddy.version}.jar
bytebuddy.loc=${base-maven.loc}/net/bytebuddy/byte-buddy/${bytebuddy.version}/byte-buddy-${bytebuddy.version}.jar
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c5584c9fe0..dca8a1a854 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -174,6 +174,9 @@
Explicitly set the locale to be used for Javadoc. For official
releases,
this locale will be English (US) to support reproducible builds.
(schultz)
+
+Update Byte Buddy to 1.17.5. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Update Byte Buddy to 1.17.5
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 537b596e75 Update Byte Buddy to 1.17.5
537b596e75 is described below
commit 537b596e75471c2f30d164267e23d94b5cd1989a
Author: Mark Thomas
AuthorDate: Mon Apr 28 20:49:58 2025 +0100
Update Byte Buddy to 1.17.5
---
build.properties.default | 4 ++--
webapps/docs/changelog.xml | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 6afb712be6..c606556553 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -272,10 +272,10 @@
objenesis.jar=${objenesis.home}/objenesis-${objenesis.version}.jar
objenesis.loc=${base-maven.loc}/org/objenesis/objenesis/${objenesis.version}/objenesis-${objenesis.version}.jar
# - byte-buddy, used by EasyMock, version 1.12.18 or later -
-bytebuddy.version=1.17.4
+bytebuddy.version=1.17.5
bytebuddy.checksum.enabled=true
bytebuddy.checksum.algorithm=MD5|SHA-1
-bytebuddy.checksum.value=7ba5cdb49a0e311e730b9a6dde61f95a|ffb8488d93290eff074fb542a596e4c5a26d0315
+bytebuddy.checksum.value=cf90ce9f1d325155ec7b0276a781c592|88450f120903b7e72470462cdbd2b75a3842223c
bytebuddy.home=${base.path}/byte-buddy-${bytebuddy.version}
bytebuddy.jar=${bytebuddy.home}/byte-buddy-${bytebuddy.version}.jar
bytebuddy.loc=${base-maven.loc}/net/bytebuddy/byte-buddy/${bytebuddy.version}/byte-buddy-${bytebuddy.version}.jar
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6dce49b0c1..c6cd668373 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -158,6 +158,9 @@
Explicitly set the locale to be used for Javadoc. For official
releases,
this locale will be English (US) to support reproducible builds.
+
+Update Byte Buddy to 1.17.5. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-12.0.x
Build status: BUILD FAILED: failed compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/120/builds/529 Blamelist: Mark Thomas Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch main] 9f858d3e0bad65d702cd81b6cbfff69d65479372 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 shell_6: 0 shell_7: 0 compile: 1 shell_8: 0 shell_9: 0 shell_10: 0 shell_11: 0 Rsync docs to nightlies.apache.org: 0 shell_12: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 2 shell_13: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Update Checkstyle to 10.23.1
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 486c2457cd Update Checkstyle to 10.23.1
486c2457cd is described below
commit 486c2457cd475bc64b6056d5dfd1957a0025ba37
Author: Mark Thomas
AuthorDate: Mon Apr 28 20:59:06 2025 +0100
Update Checkstyle to 10.23.1
---
build.properties.default | 4 ++--
webapps/docs/changelog.xml | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 915af6a3de..1743647443 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -267,10 +267,10 @@
unboundid.jar=${unboundid.home}/unboundid-ldapsdk-${unboundid.version}.jar
unboundid.loc=${base-maven.loc}/com/unboundid/unboundid-ldapsdk/${unboundid.version}/unboundid-ldapsdk-${unboundid.version}.jar
# - Checkstyle, version 6.16 or later -
-checkstyle.version=10.21.4
+checkstyle.version=10.23.1
checkstyle.checksum.enabled=true
checkstyle.checksum.algorithm=SHA-512
-checkstyle.checksum.value=56f13d6dc4614ce3d41363d0b52f2ab3ebb75579823e066ac49ac13d00856fd11e3e8c5094b4b392a80afee8f652350d4aff2fd1675806ff375752a14a529abc
+checkstyle.checksum.value=bd73ff6271d970fe4d13cc4d1410c9b305c908fb17fa6dae898fbd3ec359acd93417d8e2ea4aa17bddfa125ebc89d7fe743ec81072cea0691be35dc21e5e4b27
checkstyle.home=${base.path}/checkstyle-${checkstyle.version}
checkstyle.jar=${checkstyle.home}/checkstyle-${checkstyle.version}-all.jar
checkstyle.loc=${base-gh.loc}/checkstyle/checkstyle/releases/download/checkstyle-${checkstyle.version}/checkstyle-${checkstyle.version}-all.jar
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 909aa06e15..0a1308f3d5 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -255,6 +255,9 @@
Update Byte Buddy to 1.17.5. (markt)
+
+Update Checkstyle to 10.23.1. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Update Checkstyle to 10.23.1
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new e8a98fc7a0 Update Checkstyle to 10.23.1
e8a98fc7a0 is described below
commit e8a98fc7a013b161aac17d58bdd8626eb7312910
Author: Mark Thomas
AuthorDate: Mon Apr 28 20:59:06 2025 +0100
Update Checkstyle to 10.23.1
---
build.properties.default | 4 ++--
webapps/docs/changelog.xml | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 985295b4e7..7188e656c4 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -288,10 +288,10 @@
unboundid.jar=${unboundid.home}/unboundid-ldapsdk-${unboundid.version}.jar
unboundid.loc=${base-maven.loc}/com/unboundid/unboundid-ldapsdk/${unboundid.version}/unboundid-ldapsdk-${unboundid.version}.jar
# - Checkstyle, version 6.16 or later -
-checkstyle.version=10.21.4
+checkstyle.version=10.23.1
checkstyle.checksum.enabled=true
checkstyle.checksum.algorithm=SHA-512
-checkstyle.checksum.value=56f13d6dc4614ce3d41363d0b52f2ab3ebb75579823e066ac49ac13d00856fd11e3e8c5094b4b392a80afee8f652350d4aff2fd1675806ff375752a14a529abc
+checkstyle.checksum.value=bd73ff6271d970fe4d13cc4d1410c9b305c908fb17fa6dae898fbd3ec359acd93417d8e2ea4aa17bddfa125ebc89d7fe743ec81072cea0691be35dc21e5e4b27
checkstyle.home=${base.path}/checkstyle-${checkstyle.version}
checkstyle.jar=${checkstyle.home}/checkstyle-${checkstyle.version}-all.jar
checkstyle.loc=${base-gh.loc}/checkstyle/checkstyle/releases/download/checkstyle-${checkstyle.version}/checkstyle-${checkstyle.version}-all.jar
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index dca8a1a854..87e68953ad 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -177,6 +177,9 @@
Update Byte Buddy to 1.17.5. (markt)
+
+Update Checkstyle to 10.23.1. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Update Checkstyle to 10.23.1
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 9455c83d05 Update Checkstyle to 10.23.1
9455c83d05 is described below
commit 9455c83d0562bf427c664d6e30efc28fc72c6aae
Author: Mark Thomas
AuthorDate: Mon Apr 28 20:59:06 2025 +0100
Update Checkstyle to 10.23.1
---
build.properties.default | 4 ++--
webapps/docs/changelog.xml | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 39d9a4e45a..6bc9d5bbcd 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -267,10 +267,10 @@
unboundid.jar=${unboundid.home}/unboundid-ldapsdk-${unboundid.version}.jar
unboundid.loc=${base-maven.loc}/com/unboundid/unboundid-ldapsdk/${unboundid.version}/unboundid-ldapsdk-${unboundid.version}.jar
# - Checkstyle, version 6.16 or later -
-checkstyle.version=10.21.4
+checkstyle.version=10.23.1
checkstyle.checksum.enabled=true
checkstyle.checksum.algorithm=SHA-512
-checkstyle.checksum.value=56f13d6dc4614ce3d41363d0b52f2ab3ebb75579823e066ac49ac13d00856fd11e3e8c5094b4b392a80afee8f652350d4aff2fd1675806ff375752a14a529abc
+checkstyle.checksum.value=bd73ff6271d970fe4d13cc4d1410c9b305c908fb17fa6dae898fbd3ec359acd93417d8e2ea4aa17bddfa125ebc89d7fe743ec81072cea0691be35dc21e5e4b27
checkstyle.home=${base.path}/checkstyle-${checkstyle.version}
checkstyle.jar=${checkstyle.home}/checkstyle-${checkstyle.version}-all.jar
checkstyle.loc=${base-gh.loc}/checkstyle/checkstyle/releases/download/checkstyle-${checkstyle.version}/checkstyle-${checkstyle.version}-all.jar
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ab1f54de20..44563fb95f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -156,6 +156,9 @@
Update Byte Buddy to 1.17.5. (markt)
+
+Update Checkstyle to 10.23.1. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Update Checkstyle to 10.23.1
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 4462afa05a Update Checkstyle to 10.23.1
4462afa05a is described below
commit 4462afa05aafe6971c740cefa093fb6dd293d8b3
Author: Mark Thomas
AuthorDate: Mon Apr 28 20:59:06 2025 +0100
Update Checkstyle to 10.23.1
---
build.properties.default | 4 ++--
webapps/docs/changelog.xml | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index c606556553..40441926d3 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -290,10 +290,10 @@
unboundid.jar=${unboundid.home}/unboundid-ldapsdk-${unboundid.version}.jar
unboundid.loc=${base-maven.loc}/com/unboundid/unboundid-ldapsdk/${unboundid.version}/unboundid-ldapsdk-${unboundid.version}.jar
# - Checkstyle, version 6.16 or later -
-checkstyle.version=10.21.4
+checkstyle.version=10.23.1
checkstyle.checksum.enabled=true
checkstyle.checksum.algorithm=SHA-512
-checkstyle.checksum.value=56f13d6dc4614ce3d41363d0b52f2ab3ebb75579823e066ac49ac13d00856fd11e3e8c5094b4b392a80afee8f652350d4aff2fd1675806ff375752a14a529abc
+checkstyle.checksum.value=bd73ff6271d970fe4d13cc4d1410c9b305c908fb17fa6dae898fbd3ec359acd93417d8e2ea4aa17bddfa125ebc89d7fe743ec81072cea0691be35dc21e5e4b27
checkstyle.home=${base.path}/checkstyle-${checkstyle.version}
checkstyle.jar=${checkstyle.home}/checkstyle-${checkstyle.version}-all.jar
checkstyle.loc=${base-gh.loc}/checkstyle/checkstyle/releases/download/checkstyle-${checkstyle.version}/checkstyle-${checkstyle.version}-all.jar
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c6cd668373..74dd6bd695 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -161,6 +161,9 @@
Update Byte Buddy to 1.17.5. (markt)
+
+Update Checkstyle to 10.23.1. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1925313 - in /tomcat/site/trunk: docs/security-10.html docs/security-11.html docs/security-9.html xdocs/security-10.xml xdocs/security-11.xml xdocs/security-9.xml
Author: markt Date: Mon Apr 28 19:08:20 2025 New Revision: 1925313 URL: http://svn.apache.org/viewvc?rev=1925313&view=rev Log: CVE-2025-31650 and CVE-2025-2025-31651 Modified: tomcat/site/trunk/docs/security-10.html tomcat/site/trunk/docs/security-11.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-10.xml tomcat/site/trunk/xdocs/security-11.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-10.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-10.html?rev=1925313&r1=1925312&r2=1925313&view=diff == --- tomcat/site/trunk/docs/security-10.html (original) +++ tomcat/site/trunk/docs/security-10.html Mon Apr 28 19:08:20 2025 @@ -42,7 +42,40 @@ Table of Contents -Fixed in Apache Tomcat 10.1.35Fixed in Apache Tomcat 10.1.34Fixed in Apache Tomcat 10.1.33Fixed in Apache Tomcat 10.1.31Fixed in Apache Tomcat 10.1.25Fixed in Apache Tomcat 10.1.19Fixed in Apache Tomcat 10.1.16Fixed in Apache Tomcat 10.1.14Fixed in Apache Tomcat 10.1.13Fixed in Apache Tomcat 10.1.9Fixed in Apache Tomcat 10.1.8Fixed in Apac he Tomcat 10.1.6Fixed in Apache Tomcat 10.1.5Fixed in Apache Tomcat 10.1.2Fixed in Apache Tomcat 10.1.1Fixed in Apache Tomcat 10.0.27Fixed in Apache Tomcat 10.0.23Fixed in Apache Tomcat 10.1.0-M17Fixed in Apache Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.20Fixed in Apache Tomcat 10.1.0-M14Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10 .0.0-M6Fixed in Apache Tomcat 10.0.0-M5Not a vulnerability in Tomcat +Fixed in Apache Tomcat 10.1.40Fixed in Apache Tomcat 10.1.35Fixed in Apache Tomcat 10.1.34Fixed in Apache Tomcat 10.1.33Fixed in Apache Tomcat 10.1.31Fixed in Apache Tomcat 10.1.25Fixed in Apache Tomcat 10.1.19Fixed in Apache Tomcat 10.1.16Fixed in Apache Tomcat 10.1.14Fixed in Apache Tomcat 10.1.13Fixed in Apache Tomcat 10.1.9Fixed in Ap ache Tomcat 10.1.8Fixed in Apache Tomcat 10.1.6Fixed in Apache Tomcat 10.1.5Fixed in Apache Tomcat 10.1.2Fixed in Apache Tomcat 10.1.1Fixed in Apache Tomcat 10.0.27Fixed in Apache Tomcat 10.0.23Fixed in Apache Tomcat 10.1.0-M17Fixed in Apache Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.20Fixed in Apache Tomcat 10.1.0-M14Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0 -M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomcat 10.0.0-M5Not a vulnerability in Tomcat + 2025-04-08 Fixed in Apache Tomcat 10.1.40 + +Low: Rewrite rule bypass http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31651"; rel="nofollow">CVE-2025-31651 + +For a subset of unlikely rewrite rule configurations, it was possible for + a specially crafted request to bypass some rewrite rules. If those + rewrite rules effectively enforced security constraints, those + constraints could be bypassed. + +This was fixed with commit + https://github.com/apache/tomcat/commit/066bf6b6a15a4e7e0941d4acf096841165b97098";>066bf6b6. + +The issue was made public on 28 April 2025. + +Affects: 10.1.0-M1 to 10.1.39 + +Important: Denial of Service via invalid HTTP priority + header http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31650"; rel="nofollow">CVE-2025-31650 + +Incorrect error handling for some invalid HTTP priority headers resulted + in incomplete clean-up of the failed request which created a memory leak. + A large number of such requests could trigger an + OutOfMemoryException resulting in a denial of service. + +This was fixed with commits + https://github.com/apache/tomcat/commit/cba1a0fe1289ee7f5dd46c61c38d1e1ac5437bff";>cba1a0fe, + https://github.com/apache/tomcat/commit/1eef1dc459c45f1e421d8bd25ef340fc1cc34edc";>1eef1dc4 and + https://github.com/apache/tomcat/commit/8cc3b8fb3f2d8d4d6a757e014f19d1fafa948a60";>8cc3b8fb. + +The issue was made public on 28 April 2025. + +Affects: 10.1.10 to 10.1.39 + 2025-02-10 Fixed in Apache Tomcat 10.1.35 Important: Remote Code Execution and/or Information disclosure Modified: tomcat/site/trunk/docs/security-11.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/
[SECURITY] CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header
CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M2 to 11.0.5 Apache Tomcat 10.1.10 to 10.1.39 Apache Tomcat 9.0.76 to 9.0.102 Description: Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.6 or later - Upgrade to Apache Tomcat 10.1.40 or later - Upgrade to Apache Tomcat 9.0.104 or later Note: This issue was fixed in Apache Tomcat 9.0.103 but the release vote for the 9.0.103 release candidate did not pass. Therefore, although users must download 9.0.104 to obtain a version that includes a fix for this issue, version 9.0.103 is not included in the list of affected versions. Credit: The vulnerability was identified by the Tomcat security team. History: 2025-04-28 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2025-31651 Apache Tomcat - Rewrite rule bypass
CVE-2025-31651 Apache Tomcat - Rewrite rule bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.5 Apache Tomcat 10.1.0-M1 to 10.1.39 Apache Tomcat 9.0.0.M1 to 9.0.102 Description: For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.6 or later - Upgrade to Apache Tomcat 10.1.40 or later - Upgrade to Apache Tomcat 9.0.104 or later Note: This issue was fixed in Apache Tomcat 9.0.103 but the release vote for the 9.0.103 release candidate did not pass. Therefore, although users must download 9.0.104 to obtain a version that includes a fix for this issue, version 9.0.103 is not included in the list of affected versions. Credit: The vulnerability was identified by COSCO Shipping Lines DIC. History: 2025-04-28 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Add note on pathInfo, constraints and default servlet like servlets
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new e60d366124 Add note on pathInfo, constraints and default servlet like servlets e60d366124 is described below commit e60d36612417f726f0d407c718a9c3990c43ed19 Author: Mark Thomas AuthorDate: Mon Apr 28 20:44:15 2025 +0100 Add note on pathInfo, constraints and default servlet like servlets --- webapps/docs/security-howto.xml | 8 1 file changed, 8 insertions(+) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index e19f9ab9dd..ec338c3e58 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -573,6 +573,14 @@ The WebDAV servlet enables edit functionality for web application content. If the WebDAV servlet is enabled, the WebDAV functionality should be appropriately secured. + +When configuring security constraints, care should be taken if the URL +pattern for one or more constraints covers any segment of the URL that +becomes part of the pathInfo for a servlet and the servlet uses the pathInfo +to identify some other resource (like the default servlet does). In those +circumstances, correct application of the security constraint depends on the +implementation of the Servlet. All servlets included with Tomcat will behave +correctly in this scenario. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Add note on pathInfo, constraints and default servlet like servlets
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new dfc3278334 Add note on pathInfo, constraints and default servlet like servlets dfc3278334 is described below commit dfc32783343e0a2bc8b93fd4cd5e5f2bcf152695 Author: Mark Thomas AuthorDate: Mon Apr 28 20:44:15 2025 +0100 Add note on pathInfo, constraints and default servlet like servlets --- webapps/docs/security-howto.xml | 8 1 file changed, 8 insertions(+) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index f5f890b1d2..a3b8e4119e 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -583,6 +583,14 @@ The WebDAV servlet enables edit functionality for web application content. If the WebDAV servlet is enabled, the WebDAV functionality should be appropriately secured. + +When configuring security constraints, care should be taken if the URL +pattern for one or more constraints covers any segment of the URL that +becomes part of the pathInfo for a servlet and the servlet uses the pathInfo +to identify some other resource (like the default servlet does). In those +circumstances, correct application of the security constraint depends on the +implementation of the Servlet. All servlets included with Tomcat will behave +correctly in this scenario. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Add note on pathInfo, constraints and default servlet like servlets
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 11.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/11.0.x by this push: new b7ec790248 Add note on pathInfo, constraints and default servlet like servlets b7ec790248 is described below commit b7ec790248951c1780b62508d6298cec540806d8 Author: Mark Thomas AuthorDate: Mon Apr 28 20:44:15 2025 +0100 Add note on pathInfo, constraints and default servlet like servlets --- webapps/docs/security-howto.xml | 8 1 file changed, 8 insertions(+) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 5600ecbfb8..c167f00fce 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -547,6 +547,14 @@ The WebDAV servlet enables edit functionality for web application content. If the WebDAV servlet is enabled, the WebDAV functionality should be appropriately secured. + +When configuring security constraints, care should be taken if the URL +pattern for one or more constraints covers any segment of the URL that +becomes part of the pathInfo for a servlet and the servlet uses the pathInfo +to identify some other resource (like the default servlet does). In those +circumstances, correct application of the security constraint depends on the +implementation of the Servlet. All servlets included with Tomcat will behave +correctly in this scenario. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Add note on pathInfo, constraints and default servlet like servlets
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 9f858d3e0b Add note on pathInfo, constraints and default servlet like servlets 9f858d3e0b is described below commit 9f858d3e0bad65d702cd81b6cbfff69d65479372 Author: Mark Thomas AuthorDate: Mon Apr 28 20:44:15 2025 +0100 Add note on pathInfo, constraints and default servlet like servlets --- webapps/docs/security-howto.xml | 8 1 file changed, 8 insertions(+) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 5600ecbfb8..c167f00fce 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -547,6 +547,14 @@ The WebDAV servlet enables edit functionality for web application content. If the WebDAV servlet is enabled, the WebDAV functionality should be appropriately secured. + +When configuring security constraints, care should be taken if the URL +pattern for one or more constraints covers any segment of the URL that +becomes part of the pathInfo for a servlet and the servlet uses the pathInfo +to identify some other resource (like the default servlet does). In those +circumstances, correct application of the security constraint depends on the +implementation of the Servlet. All servlets included with Tomcat will behave +correctly in this scenario. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
